Integrating IPsec within OpenFlow Architecture for Secure Group Communication

Network security protocols such as IPsec have been used for many years to ensure robust end⁃to⁃end communication and are important in the context of SDN. Despite the widespread installation of IPsec to date, per⁃packet protection offered by the protocol is not very compatible with OpenFlow and flow⁃like behavior. OpenFlow architecture cannot aggregate IPsec⁃ESP flows in transport mode or tunnel mode because layer⁃3 information is encrypted and therefore unreadable. In this paper, we propose using the Security Parameter Index (SPI) of IPsec within the OpenFlow architecture to identify and direct IPsec flows. This enables IPsec to conform to the packet⁃based behavior of OpenFlow architecture. In addition, by distinguishing between IPsec flows, the architecture is particularly suited to secure group communication

Evaluation of SIP Signalling and QoS for VoIP over OLSR MANET Routing Protocol

Abstract: This paper evaluates the SIP based VoIP applications over the Optimized Link State Routing protocol (OLSR) as a proactive routing protocol for Mobile Ad Hoc Networks (MANET) using Static, Uniform, and Random mobility models. The evaluation considered PCM, LQS, IPTelephony, and GSM voice codecs to study the SIP signaling performance and the voice Quality of Service (QoS) for VoIP calls over OLSR MANET. The simulation efforts performed in OPNET Modeler 17.1. The results show that VoIP over OLSR MANET has good performance over Static and Uniform mobility models while it has variable performance with Random models. SIP signaling has large delays compared with the voice signaling which reduce the VoIP performance and increases the call's duration. In addition, GSM and LQS based VoIP calls have an acceptable level of QoS while PCM and IP-Telephony based VoIP calls have a low level of QoS over different types of mobility models. Furthermore, the location and the mobility of SIP server affect the number of hops and the SIP signaling performance between the different parties of the VoIP call

Known Unknowns: Indeterminacy in Authentication in IoT

The Internet of Things (IoT), comprising a plethora of heterogeneous devices, is an enabling technology that can improve the quality of our daily lives, for instance by measuring parameters from the environment (e.g., humidity, temperature, weather, energy consumption, traffic, and others) or our bodies (e.g., health data). However, as with any technology, IoT has introduced a number of security and privacy challenges. Indeed, IoT devices create, process, transfer and store data, which are often sensitive, and which must be protected from unauthorized access. Similarly, the infrastructure that links with IoT, as well as the IoT devices themselves, is an asset that needs to be protected. The focus of this work is examining authentication in IoT. In particular, in this work we conducted a state-of-the-art review of the access control models that have been proposed, including both traditional access control models and emerging models that have recently been proposed and are tailored for IoT. We identified that the existing models cannot cope with indeterminacy, an inherent characteristic of IoT, which hinders authentication decisions. In this context, we studied the two known components of indeterminacy, i.e., uncertainty and ambiguity, and proposed a new model that handles indeterminacy in authentication in IoT environments

Secure and Robust Packet Forwarding for Next Generation IP Networks.

Inter & intra domain adaptive routing protocols are required to propagate reachability information to locate other hosts/routers/contents amongst disparate parts of the Internet. Border Gateway Protocol (BGP), for instance, is the defacto inter-domain routing protocol operating amongst divergent Internet components known as Autonomous Systems (ASes). Nonetheless, the protocol can suffer from Byzantine failure whereby a legitimate node simply misbehaves. While security should be a built-in element of any trustworthy forwarding design, it appears to be an arduous add-on process for BGP. This research addresses such vulnerabilities and can be summarised into the following: 1. A Detailed Survey on the BGP State-of-the-art Security Challenges and Solutions: these analyses proved that Byzantine failure remains the inherent deficiency here. Results also stressed the potential solution should be an incrementally deployable remedy, involve minimum/standard crypto, be placed on a higher layer than BGP and not be an option. 2. Robust Modelling/Visual Analytics of BGP & its Security Vulnerabilities/Schemes: the experimental results from the emulated Cisco infrastructure evidenced that the magnitude of the adverse effect of accepting false or malicious reachability information is reliant directly on the location of the origin and thus the Byzantine attacker’s position in relation to the victim’s location becomes determinative. The OPNET-based modelling visualised and validated that the richer the attacker is in the interconnectivity, the larger the adversary impact is. Additionally, the closer the attacker is to the victim, the higher the attack’s success rate. 3. Analysis, Design, Implementation & Evaluation of a Novel Method for Byzantine Robust BGP: studying the hierarchical structure as well as the power-law structure properties of the Internet in addition to the thorough OPNET-based analyses, Localised Overlay Management Plane (LOMP) was proposed. LOMP demonstrates that having only a few security-conscious ASes, placed over particular vantage points, can add Byzantine robustness to BGP to a large extent. This research then realised LOMP architecture based on Cisco infrastructure and evaluated the deployment critically in terms of the added overhead and protocol message signalling. 4. Analysing the “Trust” in the Future Internet (FI) Forwarding Plane Proposals: two promising FI proposals namely CURLING as an information-centric networking approach for accessing contents at the Internet scale and OpenFlow, the most commonly deployed software-defined networking technology, are analysed as a final contribution. With the former, five distinct attack scenarios for hijacking contents are revealed and addressed through our synthesis design proposal. With the latter, this research integrates the forwarding of IPsec flows into the OpenFlow architecture in order to facilitate the secure group communication based on a novel method

Secure and Robust Packet Forwarding for Next Generation IP Networks.

Inter & intra domain adaptive routing protocols are required to propagate reachability information to locate other hosts/routers/contents amongst disparate parts of the Internet. Border Gateway Protocol (BGP), for instance, is the defacto inter-domain routing protocol operating amongst divergent Internet components known as Autonomous Systems (ASes). Nonetheless, the protocol can suffer from Byzantine failure whereby a legitimate node simply misbehaves. While security should be a built-in element of any trustworthy forwarding design, it appears to be an arduous add-on process for BGP. This research addresses such vulnerabilities and can be summarised into the following: 1. A Detailed Survey on the BGP State-of-the-art Security Challenges and Solutions: these analyses proved that Byzantine failure remains the inherent deficiency here. Results also stressed the potential solution should be an incrementally deployable remedy, involve minimum/standard crypto, be placed on a higher layer than BGP and not be an option. 2. Robust Modelling/Visual Analytics of BGP & its Security Vulnerabilities/Schemes: the experimental results from the emulated Cisco infrastructure evidenced that the magnitude of the adverse effect of accepting false or malicious reachability information is reliant directly on the location of the origin and thus the Byzantine attacker’s position in relation to the victim’s location becomes determinative. The OPNET-based modelling visualised and validated that the richer the attacker is in the interconnectivity, the larger the adversary impact is. Additionally, the closer the attacker is to the victim, the higher the attack’s success rate. 3. Analysis, Design, Implementation & Evaluation of a Novel Method for Byzantine Robust BGP: studying the hierarchical structure as well as the power-law structure properties of the Internet in addition to the thorough OPNET-based analyses, Localised Overlay Management Plane (LOMP) was proposed. LOMP demonstrates that having only a few security-conscious ASes, placed over particular vantage points, can add Byzantine robustness to BGP to a large extent. This research then realised LOMP architecture based on Cisco infrastructure and evaluated the deployment critically in terms of the added overhead and protocol message signalling. 4. Analysing the “Trust” in the Future Internet (FI) Forwarding Plane Proposals: two promising FI proposals namely CURLING as an information-centric networking approach for accessing contents at the Internet scale and OpenFlow, the most commonly deployed software-defined networking technology, are analysed as a final contribution. With the former, five distinct attack scenarios for hijacking contents are revealed and addressed through our synthesis design proposal. With the latter, this research integrates the forwarding of IPsec flows into the OpenFlow architecture in order to facilitate the secure group communication based on a novel method

Architecture for satellite services over cryptographically heterogeneous networks with application into smart grid

The rapid growth in the demand for Future Internet services with many emerging group applications has driven the development of satellite, which is the preferred delivery mechanism due to its wide area coverage, multicasting capability and speed to deliver affordable future services. Nevertheless, security has been one of the obstacles for both satellite services as well as smart grid group applications, especially with logical/geographical/cryptographic domains spanning heterogeneous networks and regions. In this paper, adaptive security architecture is implemented to protect satellite services for smart grid group applications. The focus is on key management and policy provisioning. Leveraging Group Domain of Interpretation (GDOI) as the standard for smart grid centralized key/policy management architecture, a single Domain of Interpretation (DOI) is deployed and evaluated critically in terms of the added protocol signaling overhead on the satellite system for a fixed-network scenario. This also partially realizes the growing trend towards the use of TCP/IP technology for smart grid applications

Byzantine Robustness for future inter-domain routing security through integrated management plane

Border Gateway Protocol (BGP) is the de-facto interdomain routing protocol exploited in the Internet today. Future Internet will not serve as a trustworthy vehicle for communication without overcoming BGP security challenges. While security should be a built-in element of any good design, it seems to be an arduous add-on process for BGP. The protocol suffers from the Byzantine Failure whence a legitimate node simply misbehaves. Currently, no systematic method determines whether the received information from an Autonomous System (AS) is valid or not in a global scale. This is due to the absence of an integrated managerial plane operating upon the control plane in our minds. We propose a hybrid method by an overlay network with a global, shared view of the address space ownership performing over the highly-connected ASes merely for the veracity check of the BGP origins. Subsequently, by breaking the hop-by-hop paradigm of BGP with the aid of our introduced management plane, we reach a level of Byzantine Robustness in which the risk pertaining to BGP prefix hijacking as a severe instance of Byzantine attacks is mitigated to a large extent

SIP-based internetwork system between Future IP Networks and ZigBee based Wireless Personal Area Networks (WPAN)

The internetwork system between Future IP Networks and ZigBee Wireless Networks has two main approaches; the SIP Proxy Based approach, and the ZigBee Stack Based approach. Because of the dynamic nature of the ZigBee devices, both approaches need to be improved to support the connectivity system and the Quality of Service (QoS) for different types of sensing and actuating applications. This paper proposes an initial design for a modified version of SIP (Mod-SIP) for ZigBee Stack Based approach. In addition, the paper introduces the Combined Approach which is an enhanced internetwork system used to provide more reliable and flexible connectivity system between ZigBee WPANs, and the IP clouds. An initial design and simulation efforts on OPNET implemented to study the current approaches and compare it with the proposed approaches. It shows that the SIP Proxy Based approach is not efficient for Future IP Networks applications as it has a high rate of End-to-End delays because of the lack of flexibility between SIP signaling system and the ZigBee WPANs. The initial investigations shown that the Combined approach can provide more reliable connectivity system with the support for the QoS for different types of instantaneous applications such as VoIP and video conferencing

Evaluation of SIP Signalling and QoS for VoIP over MANETs Reactive Routing Protocols

In Mobile Ad Hoc Networks (MANET), delays and bandwidth limitations of the wireless network system adversely affect the performance of the Voice over IP (VoIP). The calls setup time and the voice Quality of service (QoS) of VoIP calls depend on the routing protocol, the mobility model, and the number of hops between the call parties. Number of research efforts used to study the performance metrics of VoIP over MANET with even proactive, reactive, or hybrid routing protocols. In this paper, an evaluation of SIP signaling and voice QoS for SIP based VoIP calls using GSM voice codec over MANETs with Static, Uniform, and Random mobility models. This evaluation considered three types of reactive routing protocols: DSR, AODV, and TORA over IPv4. For SIP signaling, the evaluation examined the call setup time, the number of active calls, the number of rejected calls, and the calls duration. For voice QoS, the evaluation studied the End-to-End Delay, the sent traffic and the received traffic of VoIP calls. The evaluation results show that AODV has the best performance over different types of mobility models, then DSR with Static and Uniform mobility models, while TORA has long delays and poor performance over all mobility models. This evaluation helps to improve the performance of VoIP applications over MANETs by studying the most appropriate reactive routing protocol over different types of mobility models

Signaling Performance for SIP over IPv6 Mobile Ad-Hoc Network (MANET)

The unstable nature of MANETs over different types of wireless topologies and mobility models affects the Quality of Service (QoS) for real time applications such as Voice over IP (VoIP). One of the most efficient signaling systems for VoIP applications is the Session Initiation Protocol (SIP) which is mainly used to initiate, manage, and terminate VoIP calls over different types of IP based network systems. As a part of upgrading to Next Generation Network, MANETs will be considering IPv6 for different types of applications and devices. Therefore, SIP signaling over IPv6 MANETs needs to be investigated with different QoS performance metrics such as bandwidth, packet loss, delay and jitter. In this paper, an evaluation of SIP signaling is conducted for SIP based VoIP calls using GSM voice codec system over MANETs with Static, Uniform, and Random mobility models. This evaluation considered AODV as a reactive routing protocol and OLSR as a proactive routing protocol over both IPv4 as well as IPv6. The evaluation study of SIP signaling examined call setup time, number of active calls, number of rejected calls and calls duration. The results of this study show that, in general, IPv4 has better performance over different types of mobility models, while IPv6 upholds longer delays and poor performance over Random mobility models